For us at TeleDoc you always come first, as a person and as a patient. This Data Protection Declaration explains how we handle your personal data – the personal data that form the technical and administrative basis for the telemedical consultations that are provided by the doctors and that you can arrange via our app (hereafter referred to as “services”) – when you register for and use our app and when you want to make use of our services.
This Data Protection Declaration describes who is responsible for processing your personal data (data control). It also describes how we process your personal data, the legal basis upon which we do this, your rights vis-à-vis the processing of your personal data, how you can exercise these rights and how you can contact us if you have any questions about our data protection measures.
Please note that TeleDoc itself does not deliver any medical services. All the advice, including the medical suggestions, recommendations and treatment plans that you receive via our app (the “telemedical services”), is provided by independent external doctors, who are neither controlled by nor connected with TeleDoc (the “partner doctors”). These partner doctors are responsible for the entire processing of personal data that takes place in the course of the delivery of telemedical services.
The responsible entity in line with Art 4 Para 7 DSGVO is:
TeleDoc Holding GmbH
Data Protection Officer: Alfred Nusshall
If you have any questions concerning the protection and security of your client and user data or if you want to register and/or assert data protection claims and/or rights, you can contact us, TeleDoc Holding GmbH, Absberggasse 31/10, A-1100 Vienna, via e-mail at email@example.com (Subject: Data Protection).
Personal data are “all information that relates to an identified or identifiable individual”. An individual is considered identifiable if they can be directly or indirectly identified, in particular by being associated with an identifier such as a name, an identification number, location information, online identification data or one or more specific features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this individual” (Art 4 Z 1 DSGVO).
1. CATEGORIES OF PROCESSED DATA AND LEGAL BASES
1.1. IDENTITY-RELATED DATA
The following personal data are collected, processed and saved in the course of the use of the TeleDoc app: name, date of birth, social security number (or, in the case of foreign clients, the ID number from a passport or identity card), statutory health insurance provider, gender, home address, telephone number (including country code), e-mail address and password (for TeleDoc account). These data are collected on the basis of a contract concluded during the registration process. Hence, Art 6 Para 1 lit b DSGVO forms a valid legal basis for this.
We only use your data in order to provide you with the desired service. We do not pass on these data to others without your agreement.
If you send us personal data by e-mail – hence, not via our app – we cannot guarantee the secure transmission (hence, the security) of your data. For this reason, we recommend that you never send confidential information unencrypted by e-mail.
1.2. INVOICING DATA
The invoicing data (name, date of birth, type of TeleDoc service (one-off or subscription) and one of the three categories telephone number/insurance data/credit card data) are collected during the registration and it is also necessary to process this data in order to fulfil the contract. Hence, the legal basis for this is Art 6 Para 1 lit b DSGVO. You can find more information about this below under the items “mobile telecommunications companies”, “insurance companies” and “credit card companies”.
1.3. CONNECTION DATA
In the course of our services being used, user data are collected and processed by us. The reasons for this are to ensure the smooth operation of the TeleDoc app and the content and offers found therein, to carry out analysis designed to optimise the offer and guarantee quality or to avoid and eliminate operational errors. Your IP address will not be saved (not even in an anonymised form). Requested information such as the date and time of the call, the data volume and URL references, any error messages and information about the causes of errors are saved and evaluated during the use of the TeleDoc app.
The collection and processing of these data are necessary in order to be able to provide you with and optimise the TeleDoc service. This establishes a legitimate interest of TeleDoc Holding GmbH as the responsible entity, thus meeting the legal basis of Art 6 Para 1 lit f DSGVO.
1.4. HEALTH DATA
Health data (data about your state of health) form a special category of personal data according to Art 9 Para 1 DSGVO (“sensitive data”). Except in the event of direct invoicing via an insurance company (see item 2.4 below), health data are exclusively processed in an encrypted form. It is not possible for TeleDoc to access these data. In particular, therefore, TeleDoc has no direct access to the client’s patient file. During registration, clients expressly agree to the (encrypted) processing of these data in the context of the TeleDoc app. The processing of these data is a necessary prerequisite for providing telemedical treatment. Hence, Art 9 Para 2 lit a DSGVO forms a valid legal basis for this. You can find more information about this below in the item “TeleDoc doctors”.
2. PASSING ON OF DATA TO THIRD PARTIES
We do not pass on data that you give us to third parties. The exceptions to this are the service providers and contractual partners, whom we use for invoicing and authentication purposes and to whom we provide data. Any passing on of your data exclusively takes place on the basis of the DSGVO.
In order to provide the TeleDoc app and invoice our services we use the following service providers and/or categories of service providers and the following contract partners and/or categories of contract partners: IT service providers and payment service providers.
2.1. IT SERVICE PROVIDERS
An IT service provider operates the servers for us. All the processed data are stored on the servers of this third-party provider. This third-party provider makes it possible for us to provide you with the TeleDoc app. Hence, it receives your data and acts on our behalf. TeleDoc has concluded an order processing contract with this IT service provider in line with Art 28 DSGVO. Its headquarters are in Germany. We exclusively use ISO/IEC 270018 certified service providers for the registration and invoicing of our TeleDoc services
2.2. TELEDOC DOCTORS
The TeleDoc doctors receive the data about TeleDoc clients that they require for the video call, for identifying the client and for providing the telemedical service.
This concretely involves the following personal data: telephone number, name, date of birth and gender.
In addition to this, the following health data, which are necessary for the provision of the telemedical service and, according to Art 9 Para 1 DSGVO, are “sensitive data”, are processed by the TeleDoc doctors:
All health data that are uploaded by you yourself and/or recorded in the TeleDoc app under Settings/Profile/Medical and personal (e.g. descriptions of a medical condition).
In addition to this, the TeleDoc doctors process the following data in the course of providing telemedical services:
All health data that were uploaded and/or input by the consulting doctor (e.g. prescriptions, referrals to other doctors or medical facilities, instructions and sick notes) and, on occasions, the identification of the diagnosis on the invoicing letter by means of an ICD 10 code.
The received data are visible to the doctors for up to 24 hours after your consent and these are only saved in an encrypted form in buckets (containers), which can only be seen by a doctor with an active video call with the affected individual.
The personal data documented in the documents (such as prescriptions, referrals to other doctors or medical facilities, instructions and sick notes) are saved by the doctors for a minimum of ten years due to a statutory documentation obligation.
These data are stored for a maximum of one year on the servers that are used by TeleDoc Holding GmbH. They are stored for a longer period if a client has a valid subscription with TeleDoc for longer than a year. In this case the data are stored for the duration of the client’s valid subscription.
2.3. INSURANCE COMPANIES
If you are the client of an insurance company that is our cooperation partner, the invoicing of our services can, in certain circumstances, take place via your insurance company. When registering, the number of the insurance policy is to be entered and this information is matched via an interface. To this end, the identity of the client and the use of the service are communicated to the insurance company. If you want invoicing to take place directly via the insurance company, the insurance company also receives, in certain circumstances, a diagnosis (possibly as an ICD 10 code); this is a standard form of labelling carried out by doctors. The legal basis for this is your consent in line with Art 9 Para 2 lit a DSGVO. The insurance company also reserves the right to provide (certain) clients with vouchers that carry a certain code, with the help of which the affected insured party can also use TeleDoc services. We would ask you to clarify with your insurance company in advance whether you can settle the services provided by TeleDoc via your insurance company.
2.4. CREDIT CARD COMPANIES
If neither item 2.3 nor item 2.4 applies to you, you can be invoiced via an in-app purchase on the Apple App Store or Google Play or, possibly, via a credit card company. In this latter case, the credit card data (card owner, credit card number, expiry date and the security number on the reverse) are to be entered via an interface during registration. To this end, the identity of the client and the type and use of the service (one-off or subscription), but in no case the content of the telemedical service (health data), are communicated to the credit card company. In addition to this, the credit card data are processed. Correspondingly, the same applies to the former case above, for in-app purchases via the Apple App Store or Google Play.
3. DATA SECURITY
Your personal data are protected by the appropriate organisational and technical precautions. These precautions particularly apply to protection against unauthorised and illegal – but also accidental – access, processing, loss, use and manipulation.
This protection is provided, in particular, by the asymmetric algorithm from Auth0:
- Log-in requirement: Clients only have access to their personal data if they enter on their devices the e-mail address and the password that is registered with us and sent after registration. When first registering on a device and after the recording of the necessary data a private key is also generated (RSA with SHA-256). Clients, who have forgotten their password, can be assigned a new password via the link “reset password”.
After the initial successful registration the user can activate fingerprint or facial recognition in the settings of their mobile phone, depending upon the model, in order to improve the comfort of the registration process.
- End-to-end encryption: the communication between doctor and patient is encrypted with DTLS 1.3 via WebRTC end-to-end and thus meets a proven security standard.
Please note that we can therefore accept no liability of any form for the disclosure of information as a result of mistakes during data transmission not made by us and/or for any unauthorised access by third parties (e.g. hacker attacks).
4. PROCESSING OF THE DATA FROM THE DOCTORS
In the context of the TeleDoc app one must differentiate between two groups of doctors: The general practitioners who can be reached in the app (“TeleDoc doctors”) are contractual partners of TeleDoc Holding GmbH. During telemedical treatment these can also recommend the referral of the patient to a specialist doctor.
Regarding the specialist doctors located in Austria we process the following data:
– Full name
– Address (of the practice)
– Telephone number
– Practice opening hours
– Health insurance providers
These are public data that are freely accessible to everyone in public registers/lists such as the list of doctors of the Austrian Chamber of Doctors according to § 27 ÄrzteG. The legal basis for the processing of these data is the legitimate interest of TeleDoc Holding GmbH in line with Art 6 Para 1 lit f DSGVO.
These personal data of specialist doctors are processed for the duration of their listing in the list of doctors of TeleDoc and are no longer available following a deletion from the list of doctors.
5. STORAGE OF DATA
We will not store your data any longer than we are required to in order to meet our contractual and statutory obligations and to protect ourselves against any possible liability claims.
6. DATA SECURITY
Please keep your devices permanently protected against unauthorised access by third parties; use passwords that meet a high security standard; do not entrust your devices to a third party and do not reveal any passwords. Use an up-to-date firewall and virus protection programme and only visit the websites of authentic and serious providers. Check the authenticity and seriousness of e-mails addressed to you (phishing) and never hand over passwords or access data to third parties.
7. DELETION OF CLIENT DATA
We delete client data that are stored on the servers used by us within the period defined by the law. If there is a statutory obligation to retain these data for a certain period, they are only deleted when this period expires. These data, which are stored for a longer period, cannot be accessed for internal use.
8. APP AUTHORISATIONS
In order to guarantee that the TeleDoc app fully functions it is necessary that you allow the TeleDoc app access to certain functions of your devices.
In the case of iOS operating systems the following authorisations are required:
- Microphone: This is necessary for the audio and video chat.
- Camera: This is necessary for the video chat and, if required, for the photographing of documents.
- Photos: This is necessary, in order to save or upload files (photo files of documents) in your patient file.
In the case of Android operating systems the following authorisations are required:
- Microphone: This is necessary for the audio and video chat.
- Camera: This is necessary for the video chat and, if required, for the photographing of documents.
- Photos/Media/Data: This is necessary, in order to save or upload files (photo files of documents) in your patient file.
- Network connections: This is necessary for the communication with the TeleDoc servers.
These functions of your devices are exclusively used for providing our TeleDoc services.
9. JOINT RESPONSIBILITY FOR DATA
If you make use of a telemedical treatment, TeleDoc Holding GmbH and the TeleDoc doctors will also jointly process your personal data and health data.
The following data will be jointly processed:
Personal data in line with Art 4 Z 1 DSGVO:
- Full name
- Date of birth
- Telephone number
- Social security number
Health data in line with Art 9 Para 1 DSGVO:
- All health data that have been uploaded by the client themselves and/or recorded in the TeleDoc app under Settings/Profile/Medical and personal (e.g. descriptions of a medical condition).
- All health data that have been uploaded and/or entered by consulting doctors (e.g. prescriptions, referrals to other doctors or medical facilities, instructions and sick notes)
Purpose of this joint processing: The joint processing of your data is necessary in order for you to be able to make use of the telemedical treatment in the context of the TeleDoc app. TeleDoc itself has no access to the health data due to the encryption.
To this end, the jointly responsible entities (TeleDoc Holding GmbH and the respective TeleDoc doctors) have concluded an agreement in line with Art 26 DSGVO. If you wish to assert your rights as an affected party according to the DSGVO (see item 13), please principally contact us, TeleDoc Holding GmbH, via the contact details given above.
Cookies are small blocks of text that are deposited by a website on the user’s device. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that enables websites and servers to be assigned to the specific internet browser in which the cookie was saved. This enables websites and servers that are visited to distinguish the individual browser of the individual concerned person from other internet browsers that contain other cookies. The unique cookie ID enables a specific internet browser to be recognised and identified.
A cookie enables the information and offering on the website to be optimised in the interests of the user.
One can differentiate between the following categories of cookies:
- Essential cookies, which are required in order to guarantee basic functions of the website.
- Functionality cookies: These cookies allow us to align our website with the needs of users in order to improve the user experience.
- Session cookies: These are temporary cookies, that remain on the user’s computer until the browser is closed at which point they are automatically deleted.
- Permanent cookies: In order to improve user-friendliness, cookies remain stored on your device and enable us to recognise your browser upon your next visit.
You can set up your browser in such a way that you are informed about the setting of cookies and only permit cookies in individual cases, exclude the acceptance of cookies in specific cases or generally and activate the automatic deletion of cookies upon the closing of the browser.
The deactivation of cookies can lead to a limitation upon the functionality of our website.
11. YOUR RIGHTS ACCORDING TO THE DSGVO
11.1. RIGHT TO INFORMATION
If requested, we will provide you with comprehensive information about all the data about you stored by us within the period defined by law. Amongst other things, this information includes the processing purpose and categories of the personal data and the recipients or categories of recipient.
11.2. RIGHT TO RECTIFICATION
If you determine that we are using client and/or other user data without your consent, or if we violate statutory provisions, or if client or user data are incorrect, you can contact us at the above contact address at any time and demand the rectification of these data. As long as this is not inconsistent with our legitimate interests or statutory obligations, we will comply with this request in a timely manner and correct, complement or amend your personal data.
11.3. RIGHT TO DELETION
If you no longer want us to store the client data that are in our possession you can also demand the deletion of your client data at any time by writing to the e-mail address firstname.lastname@example.org. We will then delete all client data stored by us, unless there is a legal provision that obliges us to continue storing these client data. In such a case we will inform you that we continue to store your client data. We are not responsible for the deletion of your client data by third parties to whom we have passed on data in order to fulfil our contractual obligations.
11.4. RIGHT TO DATA TRANSFER
A long as this is technically possible you have the right to allow all data about you that are stored with us to be transferred to another company.
11.5. RIGHT TO OBJECT
You have the right to object to the processing of your data if this processing is for the purposes of direct marketing or for another purpose based on our legitimate interest in line with Art 6 Para 1 lit f DSGVO. Provided that we are processing your data for legitimate purposes you have the right to object to this processing if there are reasons for this related to your specific situation.
11.6. RIGHT TO REVOKE THE DECLARATION OF CONSENT
Upon beginning to make use of our services, users of our app give their consent to the processing of their personal data in connection with the use of the TeleDoc app for the purposes set out in this Data Protection Declaration.
If you do not consent to the use of data as explained upon registration it is unfortunately not possible for you to make use of the TeleDoc service.
You have the possibility of revoking the declaration of consent that you have given at any time in writing by sending an e-mail to email@example.com. This revocation does not affect the lawfulness of the data processing that has taken place on the basis of the declaration of consent up to the point at which this was revoked.
11.7. POSSIBILITY FOR MAKING A COMPLAINT
If you wish to report and assert claims and rights but do not wish to contact us directly you can also address your concerns or your complaints to the Data Protection Authorities. A corresponding form can be found on the website of the Data Protection Authorities via the following link: https://www.dsb.gv.at.